I recently encountered some websites that restrict which content I could view based on the region I am located in. This is a brief tutorial on using Amazon EC2 and Squid to bypass those restrictions.

STARTING A NEW EC2 INSTANCE

I chose to use Ubuntu 12.10 Server for my instance. AMI identifiers vary per-region, so if you want a different operating system or are creating an instance in a different region, you should search the Ubuntu Amazon EC2 AMI Locator for a different AMI.

INSTALL SQUID

sudo apt-get -y install squid

This configuration is specifically tailored to consume very few resources. Also, the configuration limits which headers will be passed through the proxy in an effort to anonymize the origin of the request.

PROXY AUTO-CONFIGURATION (OPTIONAL)

Proxy auto-configuration works by serving a file to your browser periodically that tells the browser which destinations should use the proxy and which should bypass the proxy. Proxy auto-configuration is not a requirement, however it does allow for changing proxy rules without modifying the client.

If you don’t want to use proxy auto-configuration, skip this section.

Install nginx:

sudo apt-get -y install nginx

Replace /usr/share/nginx/www/proxy.pac with the following code block.

You will also need to modify the PROXY line to reflect the public IP address of your instance. You can fine the current public IP address of your instance by using curl (see the comment in the proxy.pac file below).

LOCK IT DOWN!

Having an open proxy server on the internet is probably not your intention.

You will need to change the allowed_hosts ACL in the /etc/squid3/squid.conf file to add your clients IP address/netmask so they can access the proxy.

If you are using proxy auto-configuration, you will need to change the location / directive in the /etc/nginx/sites-enabled/default to add your clients IP address/netmask so they can access the proxy auto-configuration file.

You should probably also delete the example references to 10.10.10.10 from both locations.

MODIFY THE INSTANCE SECURITY GROUP

By default, instances only permit inbound. In addition to telling our applications which clients to allow, we must tell EC2 as well.

Determine which security group your instance is using. You are specifically looking for a label that looks like sg-12345678.

ec2-describe-instances --region eu-west-1

Assuming you are using the security group sg-12345678:

ec2-authorize --region eu-west-1 sg-12345678 -p 8080

If you are using proxy auto-configuration, you need to open up tcp/80 as well.

ec2-authorize --region eu-west-1 sg-12345678 -p 80

Verify the security group is correct:

ec2-describe-group --region eu-west-1 sg-12345678

CLIENTS USING PROXY AUTO-CONFIGURATION

CLIENTS USING MANUAL PROXY SETTINGS

Using Amazon EC2 and Squid to bypass content region restrictions was published on November 23, 2012.